GDPR and Coveo

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a new privacy regulation that replaces the EU Data Protection Directive (“Directive 95/46/EC”). It aims to harmonize data protection laws across EU by implementing a regulation directly applicable in each EU Member State. It creates new protections for EU data subjects’ fundamental right to privacy and implements significant fines for non-compliant businesses, thereby allowing EU data subjects to better control their personal data.

What’s new with GDPR?

  • Unified legal framework. GDPR is directly applicable in the EU Member States which creates a unified legal framework across EU Member States.
  • Enhanced rights for data subjects. Under the GDPR, data subjects can benefit from new rights, including the right to portability, the right to be forgotten, and the right not to be subject to automated decision making. GDPR also introduces specific provisions for minors under the age of 16.
  • Transparency and accountability. Under the GDPR, organisations need to implement appropriate technical and organisational measures including conducting privacy impact assessments, keeping detailed records on their data processing activities, communicating a data breach following a notification process, and if needed, appointing a data protection officer.
  • Cross-border data transfers. The Binding Corporate Rules (“BCR”) are officially considered valid under GDPR.
  • Shared responsibility. Under the GDPR, there is a shared responsibility between controllers and processors.
  • One stop shop. Businesses with point of contacts in different EU Member States can benefit from a unique point of contact, a lead supervisory authority, under the GDPR.  
  • Enforcement. Non-compliance can lead to administrative fines of up to €20,000,000 or, in the case of undertakings, 4% of global turnover, whichever is higher.

Who does GDPR apply to?

GDPR applies to any company established in the EU – whether or not the actual processing takes place in the EU, and to any company (not just in the EU) processing personal data belonging to EU subjects in relation to offered goods, services or monitoring behaviour.

What is considered “personal data” under GDPR?

Personal data means any information that relates to an identified or identifiable natural person. Examples of personal data includes identifiers such as IP address, location data or unique online identifiers. For a comprehensive list of what is considered personal data under the GDPR, please refer to Article 4(1).

How has Coveo been preparing GDPR changes?

Coveo’s security and legal teams analyzed our entire platform, services and business practices to strengthen our commitment to data protection, which includes:


All these processes take place under the governance of Coveo’s Data Protection Officer.


Additional information can be found in our Online Help section.

Does Coveo process personal data?

Since customers have control over the data that is sent to our hosted services, all customer data is assumed to potentially contain personally identifiable information (PII) and is secured accordingly. Coveo may also collect EU personal data for other purposes, as outlined in Coveo’s Privacy Policy.

Where does Coveo store customer data?

Coveo uses hosting facilities located in the United States. Coveo participates in the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks in order to ensure that EU personal data is transferred in accordance with GDPR.

Is Coveo a data processor or a data controller?

Coveo acts as a processor when processing data from its customers.

Does Coveo have a Data Processing Addendum (“DPA”)?

Yes. Coveo understands that its customers handling EU personal data need to implement appropriate safeguards to ensure that the processing of personal data is secure. Coveo’s DPA is available upon request for all cloud customers. To obtain a copy, please reach out to your sales contact, as mentioned on your order form.

How does Coveo fulfill data subject's rights with regards to a Coveo index?

EU citizens have the right to request a copy of their data, as well as having their data updated, deleted, restricted, or moved to another organization without hindrance. By design, Coveo allows customers to automatically address these requests, through self-service, by adjusting the data in the customer’s source systems that are indexed by Coveo.

Our customer's documents are constantly being refreshed in their Coveo index. If the data about a data subject is deleted or modified from the customer's source system, it will automatically be replicated on this customer's Coveo index.


Disclaimer: This page is intended to provide helpful guidance to our customers regarding GDPR and not to provide a comprehensive solution or legal advice.